Create a Policy-Based Site-to-Site VPN
A site-to-site VPN allows secure communications between two sites in an organization.
Before You Begin
Read the IPsec VPN Overview topic.
Review the IPsec VPN main page for an understanding of your current data set. See IPsec VPN Main Page Fields for the field descriptions.
Create addresses and address sets. See Create Addresses or Address Groups.
Create VPN profiles. See Creating VPN Profiles.
Define extranet devices. See Creating Extranet Devices.
To create a policy-based site-to-site VPN:
Settings |
Guidelines |
---|---|
General | |
Name |
Enter a unique string of maximum 63 alphanumeric characters without spaces. The string can contain colons, periods, dashes, and underscores. |
Description |
Enter a description containing maximum 255 characters for the VPN. |
VPN profile |
Select a VPN profile from the drop-down list based on the deployment scenario.
|
Authentication method |
Select an authentication method from the list that the device uses to authenticate the source of IKE messages.
|
Max transmission unit |
Select the maximum transmission unit (MTU) in bytes. MTU defines the maximum size of an IP packet, including the IPsec overhead. You can specify the MTU value for the tunnel endpoint. The valid range is 68 to 9192 bytes, and the default value is 1500 bytes. |
Pre-shared key |
Establish a VPN connection using pre-shared keys, which is essentially a password that is same for both parties. Pre-shared keys are commonly deployed for site-to-site IPsec VPNs, either within a single organization or between different organizations. Select the type of pre-shared key to use:
Pre-shared keys are applicable only if the authentication method is pre-shared based. |
Devices |
Add devices as endpoints in the VPN. You can add maximum two devices. Note:
You cannot add a multinode high availability (MNHA) pair. But, you can add one or both the devices in the MNHA pair.
|
Settings |
Guidelines |
---|---|
Device |
Select a device. |
External interface |
Select the outgoing interface for IKE security associations (SAs). This interface is associated with a zone that acts as its carrier, providing firewall security for it. |
Settings |
Guidelines |
---|---|
IKE Settings |
|
Authentication method |
Select an authentication method from the list that the device uses to authenticate the source of IKE messages.
|
IKE version |
Select the V1 IKE version which is used to negotiate dynamic security associations (SAs) for IPsec. |
Mode |
Select an IKE policy mode.
Mode is applicable when the IKE Version is V1. |
Encryption algorithm |
Select the appropriate encryption mechanism. |
Authentication algorithm |
Select an algorithm. The device uses this algorithm to verify the authenticity and integrity of a packet. |
Deffie Hellman group |
Select a group. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. |
Lifetime seconds |
Select a lifetime of an IKE security association (SA) in seconds. The valid range is from 180 to 86400 seconds. |
Dead peer detection |
Enable this option to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment. |
DPD mode |
Select a DPD Mode.
|
DPD interval |
Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds with a valid range of 2 to 60 seconds. |
DPD threshold |
Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times with a valid range of 1 to 5. |
Advanced Configuration |
|
General IKE ID |
Enable this option to accept peer IKE ID. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically. |
IKE ID |
Select one of the following options:
IKE ID is applicable only when General IKE ID is disabled. |
NAT-T |
Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device. |
Keep alive |
Select a period in seconds to keep the connection alive. NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. The valid range is from 1 to 300 seconds. |
IPSec Settings |
|
Protocol |
Select the required protocol to establish the VPN.
|
Encryption algorithm |
Select the encryption method. This option is applicable if the Protocol is ESP. |
Authentication algorithm |
Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet. |
Perfect forward secrecy |
Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time. |
Establish tunnel |
Select an option to specify when IKE is activated.
|
Advanced Configuration |
|
VPN monitor |
Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up. |
Optimized |
Enable this option to optimize VPN monitoring and configure SRX Series Firewalls to send ICMP echo requests, also called pings, only when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series Firewalls considers the tunnel to be active and do not send pings to the peer. |
Anti replay |
Enable this option for the IPsec mechanism to protect against a VPN attack that uses a sequence of numbers that are built into the IPsec packet. IPsec does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check rather than just ignoring the sequence numbers. Disable this option if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality. By default, Anti replay detection is enabled. |
Install interval |
Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device. |
Idle time |
Select the appropriate idle time interval. The sessions and their corresponding translations typically time out after a certain period if no traffic is received. |
DF bit |
Select an option to process the Don’t Fragment (DF) bit in IP messages.
|
Copy outer DSCP |
Enable this option to allow copying of the Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this option is that after IPsec decryption, clear text packets can follow the inner class-of-service (CoS) rules. |
Lifetime seconds |
Select a lifetime of an IKE security association (SA) in seconds. The valid range is from 180 to 86,400 seconds. |
Lifetime kilobytes |
Select the lifetime of an IPsec security association (SA) in kilobytes. The range is from 64 to 4294967294 kilobytes. |